From b5cbc3725fc2bd5e45b09f67c58a61fab2127061 Mon Sep 17 00:00:00 2001 From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com> Date: Tue, 7 Apr 2026 10:04:17 +0000 Subject: [PATCH 1/6] chore: actionlint error by replacing alias step entries with explicit step mappings --- .../workflows/quality-checks-devcontainer.yml | 63 ++++++++++++++++--- .../workflows/tag-release-devcontainer.yml | 1 + 2 files changed, 54 insertions(+), 10 deletions(-) diff --git a/.github/workflows/quality-checks-devcontainer.yml b/.github/workflows/quality-checks-devcontainer.yml index fc562b42..3cae1a0f 100644 --- a/.github/workflows/quality-checks-devcontainer.yml +++ b/.github/workflows/quality-checks-devcontainer.yml @@ -220,8 +220,15 @@ jobs: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} steps: - - *init_tool_versions - - *checkout + - name: copy .tool-versions + run: | + cp /home/vscode/.tool-versions "$HOME/.tool-versions" + + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 - name: Determine docker images to scan id: normalized_docker_images env: @@ -292,10 +299,28 @@ jobs: matrix: docker_image: ${{ fromJson(needs.get_docker_images_to_scan.outputs.docker_images) }} steps: - - *init_tool_versions - - *checkout - - *setup_npmrc - - *cache_npm + - name: copy .tool-versions + run: | + cp /home/vscode/.tool-versions "$HOME/.tool-versions" + + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + + - name: Setting up .npmrc + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc + echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc + + - name: Cache npm dependencies + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 + with: + path: ./node_modules + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: make install run: | @@ -331,10 +356,28 @@ jobs: run: shell: bash steps: - - *init_tool_versions - - *checkout - - *setup_npmrc - - *cache_npm + - name: copy .tool-versions + run: | + cp /home/vscode/.tool-versions "$HOME/.tool-versions" + + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + + - name: Setting up .npmrc + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc + echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc + + - name: Cache npm dependencies + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 + with: + path: ./node_modules + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - name: Check for SAM templates id: check_sam_templates diff --git a/.github/workflows/tag-release-devcontainer.yml b/.github/workflows/tag-release-devcontainer.yml index 52fca83c..4b0f3d02 100644 --- a/.github/workflows/tag-release-devcontainer.yml +++ b/.github/workflows/tag-release-devcontainer.yml @@ -84,6 +84,7 @@ jobs: permissions: id-token: "write" contents: "write" + packages: "write" runs-on: ubuntu-22.04 container: image: ${{ inputs.pinned_image }} From e05f2265ae715b396f698fda56c5494c33b0cc8b Mon Sep 17 00:00:00 2001 From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com> Date: Tue, 7 Apr 2026 10:57:25 +0000 Subject: [PATCH 2/6] revert: aliased workflow steps --- .../workflows/quality-checks-devcontainer.yml | 63 +++---------------- 1 file changed, 10 insertions(+), 53 deletions(-) diff --git a/.github/workflows/quality-checks-devcontainer.yml b/.github/workflows/quality-checks-devcontainer.yml index 5c546f67..085a5e8b 100644 --- a/.github/workflows/quality-checks-devcontainer.yml +++ b/.github/workflows/quality-checks-devcontainer.yml @@ -196,15 +196,8 @@ jobs: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} steps: - - name: copy .tool-versions - run: | - cp /home/vscode/.tool-versions "$HOME/.tool-versions" - - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - ref: ${{ env.BRANCH_NAME }} - fetch-depth: 0 + - *init_tool_versions + - *checkout - name: Determine docker images to scan id: normalized_docker_images env: @@ -279,28 +272,10 @@ jobs: matrix: docker_image: ${{ fromJson(needs.get_docker_images_to_scan.outputs.docker_images) }} steps: - - name: copy .tool-versions - run: | - cp /home/vscode/.tool-versions "$HOME/.tool-versions" - - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - ref: ${{ env.BRANCH_NAME }} - fetch-depth: 0 - - - name: Setting up .npmrc - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc - echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc - - - name: Cache npm dependencies - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 - with: - path: ./node_modules - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + - *init_tool_versions + - *checkout + - *setup_npmrc + - *cache_npm - name: make install run: | @@ -332,28 +307,10 @@ jobs: run: shell: bash steps: - - name: copy .tool-versions - run: | - cp /home/vscode/.tool-versions "$HOME/.tool-versions" - - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - ref: ${{ env.BRANCH_NAME }} - fetch-depth: 0 - - - name: Setting up .npmrc - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc - echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc - - - name: Cache npm dependencies - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 - with: - path: ./node_modules - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + - *init_tool_versions + - *checkout + - *setup_npmrc + - *cache_npm - name: Check for SAM templates id: check_sam_templates From a4d7996f9cd00180eca2d5a015d1afcc47c5d851 Mon Sep 17 00:00:00 2001 From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:12:43 +0000 Subject: [PATCH 3/6] chore: trigger build From 67028e917d4b14c5b2e19fb379acaa6f97e75c9d Mon Sep 17 00:00:00 2001 From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:24:22 +0000 Subject: [PATCH 4/6] chore: pr needs to grant packages write too --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 5b28367f..6b8aa28b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -49,7 +49,7 @@ jobs: needs: get_config_values uses: ./.github/workflows/tag-release-devcontainer.yml permissions: - packages: read + packages: write id-token: write contents: write with: From 8dfa5ed73ee37a32f016c5e0b4f0c4d57a9778fc Mon Sep 17 00:00:00 2001 From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:39:43 +0000 Subject: [PATCH 5/6] chore: update zizmor for the last commit --- zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zizmor.yml b/zizmor.yml index e427669e..2c176dc9 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -14,4 +14,4 @@ rules: artipacked: ignore: # this is ignored as its based on using an input to the workflow - - tag-release-devcontainer.yml:114:15 + - tag-release-devcontainer.yml:115:15 From 36729f184809a1005182e947447adec061869220 Mon Sep 17 00:00:00 2001 From: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com> Date: Tue, 7 Apr 2026 14:08:07 +0000 Subject: [PATCH 6/6] chore: package permissions for tag-release --- .github/workflows/pull_request.yml | 2 +- .github/workflows/release.yml | 1 + README.md | 4 ++++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 6b8aa28b..822d1a90 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -49,9 +49,9 @@ jobs: needs: get_config_values uses: ./.github/workflows/tag-release-devcontainer.yml permissions: - packages: write id-token: write contents: write + packages: write with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0b95dfc3..e1322dee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,7 @@ jobs: permissions: id-token: write contents: write + packages: write with: dry_run: false pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/README.md b/README.md index 13270b95..f6290d9c 100644 --- a/README.md +++ b/README.md @@ -174,6 +174,10 @@ jobs: tag_release: uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f5c8313a10855d0cc911db6a9cd666494c00045a needs: [get_config_values] + permissions: + id-token: write + contents: write + packages: write with: tag_format: "v\\${version}-beta" dry_run: true